The flaw was only resolved after Fairfax Media raised a series of questions about the vulnerability, which also exposed Vodafone customers to identity theft through unauthorised access to online services such as Google, which use two-factor authentication via a phone call.

Shubham Shah discovered a security flaw in the way Vodafone handled voicemail.Credit:Peter Rae

The practice of brute forcing involves hackers using software to try multiple PIN combinations to gain access to a service. Typically secure systems employ bruteforce protection that will lock hackers out after a certain number of incorrect attempts, but Vodafone's Australian system had no such protection.

These codes – which come in handy as a second layer of security when online log-in credentials are stolen – are usually sent via text message but can also be sent via a phone call and end up in voicemail.

In order to bypass two-factor authentication, hackers needed a user's online password, which security experts point out is relatively easy to retrieve these days with the high number of breaches occurring daily on the internet and password reuse. They also needed to engage the user's phone so that the code could be left in their voicemail.

There is no evidence to suggest hackers made use of the flaw on any of Vodafone's 4.9 million customer accounts. It was corrected in June but Fairfax waited until global carriers could secure their infrastructure before revealing it.

"We were made aware of research that identified a security issue with our visual voicemail service," Eyman Ahmed, head of information security at Vodafone, said in a statement. "Vodafone's technical team responded to the matter within a matter of hours, and has updated its systems to address it. We thank the researcher for responsibly disclosing this issue to us so that we could address it and ensure our customers remain protected."

But Mr Shah said the fix Vodafone implemented was not well thought out. It involved, he said, locking out hackers - as well as users - from their voicemail after five incorrect PIN attempts. This meant anyone could lock a user out, requiring them to call support to reset their voicemail PIN.

The vulnerability was linked to the carrier's visual voicemail offered to customers using Apple's iPhone. It's understood the four other global markets where Vodafone offers visual voicemail were not affected.

To notify others telcos about the flaw, Mr Shah informed the GSM Association (GSMA), a group whose members include global telecommunications companies.

James Moran of the GSMA said the group was "very grateful" for Mr Shah's co-operation and confirmed that operators were sent a security alert last week.

As the flaw potentially affects certain configurations of the visual voicemail system, Mr Shah also notified Apple, who acknowledged his findings.